VBS Logon Scripts, Part Two

In the fourth installment of our seven-part series on scripting in Windows 2000 Active Directory, we will attach that logon script to an organizational unit. This will cause every user in the OU to receive this script.

In the previous article, we wrote a VBS logon script. In the fourth installment
of our seven-part series on scripting in Windows 2000 Active Directory, we will
attach that logon script to an organizational unit. This will cause every user
in the OU to receive this script.

VBS Logon Scripts, Part Two

by Jim Hudson

This article is derived from Special Edition Using Active Directory,
by Jim Hudson and Sean Fullerton (Que
Publishing, November 2000).

Attaching a Logon Script Through Group Policy

After we have written or identified our WSH script, we can attach it to a site,
domain, or organizational unit through Group Policy. First we must choose the
container object that we want to receive the logon script. In our example, we
have identified an organizational unit called support that will use our logon
script. These are desktop support people for one of our business units, and
we want to configure the desktop when they log on so that certain tools and
features will always be available to them.

First we must open the Group Policy editor. Because we are applying this script
to users, we will choose the User Configuration/Windows Settings/Scripts node
of Group Policy, as shown in Figure
1.

To apply a logon script here, we must double-click the logon icon in the name
pane of the Group Policy editor. This opens the Logon Properties Page, shown
in Figure 2.
Here we can assign and configure one or more logon scripts for this Group Policy.

At this point, to understand what we are going to do next, we need to understand
a little bit about Group Policy architecture. A Group Policy object is really
made of two things: a Group Policy container, which is information about the
Group Policy, stored in Active Directory; and a Group Policy template, which
is a series of filesystem objects, such as files and folders. The Group Policy
identifier is the GUID. This system generated hexadecimal number is used to
synchronize the information in AD with the filesystem. The Group Policy container
is replicated to other domain controllers through normal AD replication, and
the Group Policy template is replicated to other domain controllers through
the File Replication Service (FRS).

If we want our logon script to be universally available, we need to copy it
to the scripts subdirectory of our Group Policy template. To do so, simply use
the Explorer to right-click/copy your file, and then click the Show Files button,
seen in Figure
2. This will open the Logon page, shown in Figure
3. We can then paste the file into this page. After we have done so, this
file will be replicated to all other domain controllers in our domain.

NOTE

Notice the path at the top of Figure
3. This is the filesystem path to the SYSVOL share on the local domain
controller. Because the GUID is the name of the Group Policy, the folder is
named using the GUID.

We can either type the name of our script or use the browse button. If we have
added our script to the Logon folder, it will appear in the Browse page, shown
in Figure 5.
We can simply select it and click open. This will return us to the Add a Script
page, where we click OK. Our script is now applied as a logon script to this
Group Policy. Remember that every edit is an implied save in the Group Policy
editor.

Although we have demonstrated applying a script to the logon event for a user,
remember that we can apply scripts at the startup/shutdown of a computer, and
logon/logoff of a user using Group Policy.